Any fool can know. The point is to understand. – Albert Einstein
Two things are infinite: the universe and human stupidity; and I’m not sure about the universe. – Albert Einstein
This week I am posting a five-part series on FCPA compliance issues. While there have been many advances in the anti-corruption ethics and compliance field, there is still more work to do to advance effective strategies for anti-corruption compliance.
An effective compliance program depends on assessment of risk. The importance of understanding a company’s risk permeates every aspect of a company’s anti-corruption compliance program. Risk-ranking is a critical function when assessing risk. However, there is a significant nuance here – risk-ranking provides important insights between and among various types of risks, usually within the same category. In more sophisticated programs, risk ranking is only part of the equation – ranking is one step, and relative risk understanding is another important step.
The FCPA Guidance issued by DOJ and the SEC in November 2012 (available here) stated it best:
One-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low-risk markets and transactions to the detriment of high-risk areas. Devoting a disproportionate amount of time policing modest entertainment and gift-giving instead of focusing on large government bids, questionable payments to third-party consultants, or excessive discounts to resellers and distributors may indicate that a company’s compliance program is ineffective. A $50 million contract with a government agency in a high-risk country warrants greater scrutiny than modest and routine gifts and entertainment.
As reflected in this statement, the concept of relative risk is part of an overall risk assessment. Gift-giving risks create relatively lower risks than large government bids, and questionable payments to third parties.
But there is more to the concept of relative risks that need to be explored. The same principle of risk assessments applies to third-party risk management. The FCPA Guidance addressed the issue:
[P]erforming identical due diligence on all third-party agents, irrespective of risk factors, is often counterproductive, diverting attention and resources away from those third parties that pose the most significant risks.
In the third-party risk management system, companies usually rank their third parties to determine which third parties require greater scrutiny than others. Many companies employ a risk-ranking formula to target due diligence, risk monitoring and audits. Ranking is only the first step in the process because relative risk is needed to fine tune the allocation of resources and ultimate time and attention given to specific third parties.
My point is yet another example of a profound grasp of the obvious.
As an example, consider the following situation – 100 third parties are ranked according to a formula. However, the allocation of resources cannot just simply be made in accordance with the ranking of 1 to 100. Within the 100, there needs to be some attempt to apply relative risks among the third parties. The top 10 high-risk third parties may account for 90 percent of all of the company’s third-party risk.
Companies have to refine their own internal risk assessment process for anti-corruption programs across all of the risks in order to allocate resources in an efficient manner.
In the end, relative risk assessment can be divided into two discrete functions.
The first is within a specific category of risks. So, for example, when considering third-party risks, relative risk-ranking is a more refined analysis of not only how to rank the risks on a scale but to examine relative degrees of risks within the ranking of third parties.
The second is to apply relative risk assessment across discrete risks. In this scenario, a company has to assess the nature of its third-party risks in relation to its other anti-corruption risks, including for example government tenders, gifts, meals, entertainment, and regulatory inactions. Again, this refinement of risk ranking is meant to focus on relative risks across certain categories of risk.
